b"                   AUDIT REPORT\n\n                   Audit of NRC\xe2\x80\x99s Shared \xe2\x80\x95S\xe2\x80\x96 Drive\n\n\n\n                        OIG-11-A-15 July 27, 2011\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                 UNITED STATES\n                         NUCLEAR REGULATORY COMMISSION\n                                 WASHINGTON, D.C. 20555-0001\n\n\n\nOFFICE OF THE\nINSPECTOR GENERAL\n\n\n                                      July 27, 2011\n\n\n\nMEMORANDUM TO:              R. William Borchardt\n                            Executive Director for Operations\n\n\n\nFROM:                       Stephen D. Dingbaum /RA/\n                            Assistant Inspector General for Audits\n\n\nSUBJECT:                    AUDIT OF NRC'S SHARED \xe2\x80\x9cS\xe2\x80\x9d DRIVE\n                            (OIG-11-A-15)\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s (OIG) audit report titled, Audit of NRC's\nShared \xe2\x80\x9cS\xe2\x80\x9d Drive.\n\nThe report presents the results of the subject audit. Informal comments provided by\nagency management and staff have been incorporated, as appropriate, into this report.\n\nPlease provide information on actions taken or planned on each of the\nrecommendations within 30 days of the date of this memorandum. Actions taken or\nplanned are subject to OIG followup as stated in Management Directive 6.1.\n\nWe appreciate the cooperation extended to us by members of your staff during the\naudit. If you have any questions or comments about our report, please contact me at\n415-5915 or Beth Serepca, Security and Information Team Leader, at 415-5911.\n\nAttachment: As stated\n\x0cElectronic Distribution\n\nEdwin M. Hackett, Executive Director, Advisory Committee\n  on Reactor Safeguards\nE. Roy Hawkens, Chief Administrative Judge, Atomic Safety\n  and Licensing Board Panel\nStephen G. Burns, General Counsel\nBrooke D. Poole, Director, Office of Commission Appellate Adjudication\nJames E. Dyer, Chief Financial Officer\nMargaret M. Doane, Director, Office of International Programs\nRebecca L. Schmidt, Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nR. William Borchardt, Executive Director for Operations\nMichael F. Weber, Deputy Executive Director for Materials, Waste,\n  Research, State, Tribal, and Compliance Programs, OEDO\nDarren B. Ash, Deputy Executive Director\n  for Corporate Management, OEDO\nMartin J. Virgilio, Deputy Executive Director for Reactor\n  and Preparedness Programs, OEDO\nNader L. Mamish, Assistant for Operations, OEDO\nKathryn O. Greene, Director, Office of Administration\nPatrick D. Howard, Director, Computer Security Office\nRoy P. Zimmerman, Director, Office of Enforcement\nCharles L. Miller, Director, Office of Federal and State Materials\n  and Environmental Management Programs\nCheryl L. McCrary, Director, Office of Investigations\nThomas M. Boyce, Director, Office of Information Services\nMiriam L. Cohen, Director, Office of Human Resources\nMichael R. Johnson, Director, Office of New Reactors\nCatherine Haney, Director, Office of Nuclear Material Safety\n  and Safeguards\nEric J. Leeds, Director, Office of Nuclear Reactor Regulation\nBrian W. Sheron, Director, Office of Nuclear Regulatory Research\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nJames T. Wiggins, Director, Office of Nuclear Security\n  and Incident Response\nWilliam M. Dean, Acting Regional Administrator, Region I\nVictor M. McCree, Regional Administrator, Region II\nMark A. Satorius, Regional Administrator, Region III\nElmo E. Collins, Jr., Regional Administrator, Region IV\n\x0c                                                                                Audit of NRC\xe2\x80\x99s Shared \xe2\x80\x95S\xe2\x80\x96 Drive\n\n\n\nEXECUTIVE SUMMARY\n\n          BACKGROUND\n\n                   The President of the United States has directed Federal agencies to\n                   promote information sharing with the public and improve the transparency\n                   of Government operations.1 Nevertheless, applicable laws and\n                   Governmentwide policies require the U.S. Nuclear Regulatory\n                   Commission (NRC) and other Federal agencies to protect some types of\n                   information against accidental or intentional disclosure.\n\n                   NRC staff process on agency networks a category of sensitive\n                   unclassified information unique to NRC called Sensitive Unclassified Non-\n                   Safeguards2 Information (SUNSI).3 NRC defines SUNSI as:\n\n                           \xe2\x80\xa6any information of which the loss, misuse,\n                           modification, or unauthorized access can reasonably\n                           be foreseen to harm the public interest, the\n                           commercial or financial interests of the entity or\n                           individual to whom the information pertains, the\n                           conduct of NRC and Federal programs, or the\n                           personal privacy of individuals.\n\n                   NRC staff can process electronic documents containing SUNSI in a\n                   variety of ways. For instance, some documents may be saved in the non-\n                   public version of NRC\xe2\x80\x99s online data system \xe2\x80\x94 the Agencywide Documents\n                   Access and Management System (ADAMS)4. Staff may also exchange\n                   documents on internal SharePoint5 Web sites, which staff can configure to\n1\n Office of Management and Budget Memorandum M-10-06; Subject: Open Government Directive;\nDecember 8, 2009.\n2\n Safeguards information is information relating to certain material control and accounting procedures for\nspecial nuclear material or security measures for the physical protection of special nuclear material,\nsource material, or byproduct material.\n3\n  NRC includes Personally Identifiable Information (PII) as a category of SUNSI. PII includes information\nthat can be used to distinguish or trace an individual\xe2\x80\x99s identity, such as one\xe2\x80\x99s date of birth, Social Security\nNumber, or home contact information.\n4\n    ADAMS is NRC\xe2\x80\x99s official repository for documents pertaining to the agency\xe2\x80\x99s regulatory activities.\n5\n SharePoint is a software program that allows staff to set up Web sites to share information with others\nand allows staff to manage documents. SharePoint can be used to manage databases, reports, and\nbusiness applications.\n\n                                                       ii\n\x0c                                                                            Audit of NRC\xe2\x80\x99s Shared \xe2\x80\x95S\xe2\x80\x96 Drive\n\n\n\n                  limit access rights to specific employees or groups of employees.\n                  Additionally, NRC staff can save documents on shared network drives.6\n                  These shared drives include \xe2\x80\x95G\xe2\x80\x96 drives accessible by staff within NRC\n                  program offices; an \xe2\x80\x95R\xe2\x80\x96 drive, an agencywide drive with read-only access;\n                  and an \xe2\x80\x95S\xe2\x80\x96 drive, which allows all staff, whose user accounts are on the\n                  same file server, to add, read, edit, and delete documents unless\n                  documents are stored in folders configured to limit access to specific\n                  employees or groups of employees. Regardless of how NRC employees\n                  exchange SUNSI on agency networks, Federal law requires that NRC\n                  maintain adequate controls over the confidentiality, integrity, and\n                  availability of this information.7\n\n          PURPOSE\n\n                  The audit objective was to assess whether NRC effectively protects\n                  electronic documents containing Personally Identifiable Information (PII)\n                  and other types of SUNSI on NRC\xe2\x80\x99s shared network drives.\n\n          RESULTS IN BRIEF\n\n                  NRC has policies for protecting electronic documents containing SUNSI\n                  that are processed on agency shared network drives. Nevertheless, NRC\n                  can improve training, communication, coordination, and quality assurance\n                  controls to ensure that access to these documents is limited to a need-to-\n                  know basis. NRC guidance requires that access to documents containing\n                  SUNSI be controlled on a need-to-know basis. NRC has procedures to\n                  control documents containing SUNSI that are stored on its computer\n                  network. Nevertheless, auditors found documents containing specific\n                  types of SUNSI, such as PII and allegations material, on shared network\n                  drives without appropriate protections.\n\n\n\n\n6\n Documents containing classified or Safeguards information may not be processed on NRC\xe2\x80\x99s\nunclassified networks or placed in ADAMS.\n7\n    Federal Information Security Management Act of 2002, 44 U.S.C \xc2\xa7 3542.\n\n\n                                                   iii\n\x0c                                                       Audit of NRC\xe2\x80\x99s Shared \xe2\x80\x95S\xe2\x80\x96 Drive\n\n\n\nRECOMMENDATIONS\n\n     This report makes recommendations to improve training, communication,\n     coordination, and quality assurance controls to ensure SUNSI is limited to\n     a need-to-know basis.\n\nAGENCY COMMENTS\n\n     At an exit conference on June 30, 2011, agency management provided\n     informal comments on a draft of this report. The Office of the Inspector\n     General incorporated some of these comments as appropriate. As a\n     result, the agency opted not to provide formal comments for inclusion in\n     this report.\n\n\n\n\n                                  iv\n\x0c                                                     Audit of NRC\xe2\x80\x99s Shared \xe2\x80\x95S\xe2\x80\x96 Drive\n\n\n\nABBREVIATIONS AND ACRONYMS\n\n       ADAMS   Agencywide Documents Access and Management System\n\n       CSO     Computer Security Office\n\n       CUI     Controlled Unclassified Information\n\n       IT      information technology\n\n       NARA    U.S. National Archives and Records Administration\n\n       NRC     U.S. Nuclear Regulatory Commission\n\n       OIG     Office of the Inspector General\n\n       OIS     Office of Information Services\n\n       PII     Personally Identifiable Information\n\n       SBU     Sensitive but Unclassified\n\n       SUNSI   Sensitive Unclassified Non-Safeguards Information\n\n\n\n\n                               v\n\x0c                                                                                Audit of NRC\xe2\x80\x99s Shared \xe2\x80\x95S\xe2\x80\x96 Drive\n\n\n\nTABLE OF CONTENTS\n\n        EXECUTIVE SUMMARY ............................................................................ i\n\n        ABBREVIATIONS AND ACRONYMS ........................................................ iv\n\n           I.    BACKGROUND .............................................................................. 1\n\n           II.   PURPOSE ...................................................................................... 4\n\n           III. FINDING ......................................................................................... 4\n\n                 NRC CAN IMPROVE TRAINING, COMMUNICATION, COORDINATION, AND QUALITY\n                 ASSURANCE CONTROLS TO ENSURE SECURITY OF SUNSI ON NETWORK DRIVES ..... 4\n\n\n           IV. RECOMMENDATIONS ................................................................. 10\n\n           V. AGENCY COMMENTS ................................................................. 11\n\n        APPENDIX\n\n                 SCOPE AND METHODOLOGY .................................................... 12\n\n\n\n\n                                                  vi\n\x0c                                                                             Audit of NRC\xe2\x80\x99s Shared \xe2\x80\x95S\xe2\x80\x96 Drive\n\n\n\nBACKGROUND\n\n                The President of the United States has directed Federal agencies to\n                promote information sharing with the public and improve the transparency\n                of Government operations.8 Nevertheless, applicable laws and\n                Governmentwide policies require NRC and other Federal agencies to\n                protect some types of information against accidental or intentional\n                disclosure. For example, the Federal Government has in recent years\n                increased its emphasis on protecting Personally Identifiable Information\n                (PII) processed on its computer networks. PII includes information that\n                can be used to distinguish or trace an individual\xe2\x80\x99s identity, such as one\xe2\x80\x99s\n                date of birth, Social Security Number, or home contact information. NRC\n                processes some PII in dedicated record systems to comply with the\n                Privacy Act of 1974.9 However, not all PII is subject to Privacy Act\n                protections and may be processed on the agency\xe2\x80\x99s shared network\n                drives. Given the sensitivity of this information, NRC has specific policies\n                that agency staff must follow in storing and transmitting PII electronically.\n                Further, NRC has a formal process for documenting potential PII\n                breaches, reporting these incidents to the Department of Homeland\n                Security,10 and taking remedial action if necessary. As an additional\n                precaution, NRC staff perform annual automated scans of the agency\xe2\x80\x99s\n                networks to detect PII that may be stored without adequate protections.\n                Positive results of these scans are reported to program office staff, who\n                then determine the proper course of action on a case-by-case basis.\n\n                NRC staff also process on agency networks a broader category of\n                sensitive unclassified information unique to NRC called Sensitive\n                Unclassified Non-Safeguards11 Information (SUNSI).12 NRC defines\n                SUNSI as:\n\n8\n Office of Management and Budget Memorandum M-10-06; Subject: Open Government Directive;\nDecember 8, 2009.\n9\n  NRC\xe2\x80\x99s Privacy Act systems of records are documented in the Federal Register, and include records\nsuch as personnel performance appraisals, payroll accounting records, personnel security files, and drug\ntesting program records.\n10\n  Specifically, NRC must report a potential PII breach to the Department of Homeland Security\xe2\x80\x99s United\nStates Computer Emergency Response Team within one hour of discovering the breach.\n11\n  Safeguards information is information relating to certain material control and accounting procedures for\nspecial nuclear material or security measures for the physical protection of special nuclear material,\nsource material, or byproduct material.\n\n\n                                                    1\n\x0c                                                                     Audit of NRC\xe2\x80\x99s Shared \xe2\x80\x95S\xe2\x80\x96 Drive\n\n\n\n                           \xe2\x80\xa6any information of which the loss, misuse,\n                           modification, or unauthorized access can reasonably\n                           be foreseen to harm the public interest, the\n                           commercial or financial interests of the entity or\n                           individual to whom the information pertains, the\n                           conduct of NRC and Federal programs, or the\n                           personal privacy of individuals.\n\n                  In general, SUNSI is information pertaining to agency operations that\n                  should be exchanged only on a need-to-know basis. Further, SUNSI must\n                  not be made publicly available without formal internal review for decontrol,\n                  or review in response to Freedom of Information Act requests for particular\n                  documents. NRC divides SUNSI into the following seven main categories:\n\n                      1. Allegation information.\n                      2. Investigation information.\n                      3. Security-related information.\n                      4. Proprietary information.\n                      5. Privacy Act information/PII.\n                      6. Federal-, State-, foreign government-, and international agency-\n                         controlled information.\n                      7. Sensitive internal information.\n\n                  The U.S. National Archives and Records Administration (NARA) is\n                  currently leading a Governmentwide initiative to create a primary sensitive\n                  information category called \xe2\x80\x95Controlled Unclassified Information\xe2\x80\x96 (CUI)13\n                  that will include many subcategories that Federal agencies may assign to\n                  their CUI documents. Once CUI becomes standardized across the\n                  Federal Government, it will supersede SUNSI at NRC. As a result, NRC\n                  has developed a set of common document categories and related\n                  markings that include the SUNSI categories. NRC has submitted this\n                  information to NARA for review and inclusion in the CUI program.\n\n                  NRC staff can process electronic documents containing SUNSI in a\n                  variety of ways. For instance, some documents may be saved in the non-\n                  public version of NRC\xe2\x80\x99s Agencywide Documents Access and Management\n\n\n12\n     NRC includes PII as a category of SUNSI information.\n13\n     Executive Order No. 13556 of November 4, 2010.\n\n\n                                                      2\n\x0c                                                                                Audit of NRC\xe2\x80\x99s Shared \xe2\x80\x95S\xe2\x80\x96 Drive\n\n\n\n                   System (ADAMS)14 data system. Staff may also exchange documents on\n                   internal SharePoint15 Web sites, which staff can configure to limit access\n                   rights to specific employees or groups of employees. Additionally, NRC\n                   staff can save documents on shared network drives.16 These shared\n                   drives include \xe2\x80\x95G\xe2\x80\x96 drives accessible by staff within NRC program offices;\n                   an \xe2\x80\x95R\xe2\x80\x96 drive, an agencywide drive with read-only access; and an \xe2\x80\x95S\xe2\x80\x96 drive,\n                   which allows all staff, whose user accounts are on the same file server, to\n                   add, read, edit, and delete documents unless documents are stored in\n                   folders configured to limit access to specific employees or groups of\n                   employees. Regardless of how NRC employees exchange SUNSI on\n                   agency networks, Federal law requires that NRC maintain adequate\n                   controls over the confidentiality, integrity, and availability of this\n                   information.17\n\n                   NRC\xe2\x80\x99s network drives reside on servers located at NRC headquarters,\n                   regional offices, and the Technical Training Center. In 2010, NRC\n                   completed a process of consolidating its servers in an effort to make more\n                   efficient use of its information technology (IT) infrastructure. As part of the\n                   process, NRC decommissioned existing servers, and installed new\n                   servers from the same vendor product line that supports the agency\xe2\x80\x99s e-\n                   mail, Web-based applications, and other IT functions. NRC also\n                   transferred data from outgoing servers to new servers and reconfigured\n                   connections among various drives to replicate connections that existed\n                   before the consolidation process began. This affected the labeling and\n                   layout of drives seen by staff on their computer screens. For example,\n                   multiple \xe2\x80\x95R\xe2\x80\x96 and \xe2\x80\x95S\xe2\x80\x96 drives were consolidated into single \xe2\x80\x95R\xe2\x80\x96 and \xe2\x80\x95S\xe2\x80\x96\n                   drives.\n\n                   NRC\xe2\x80\x99s Office of Information Services (OIS) manages the agency\xe2\x80\x99s IT\n                   infrastructure and oversees network upgrades, such as server\n                   consolidation performed by contractors. OIS also organizes and conducts\n                   NRC\xe2\x80\x99s annual PII scans. IT coordinators designated by NRC program\n\n14\n     ADAMS is NRC\xe2\x80\x99s official repository for documents pertaining to the agency\xe2\x80\x99s regulatory activities.\n15\n  SharePoint is a software program that allows staff to set up Web sites to share information with others\nand allows staff to manage documents. SharePoint can be used to manage databases, reports, and\nbusiness applications.\n16\n  Documents containing classified or Safeguards information may not be processed on NRC\xe2\x80\x99s\nunclassified networks or placed in ADAMS.\n17\n     Federal Information Security Management Act of 2002, 44 U.S.C \xc2\xa7 3542.\n\n\n                                                       3\n\x0c                                                              Audit of NRC\xe2\x80\x99s Shared \xe2\x80\x95S\xe2\x80\x96 Drive\n\n\n\n           offices coordinate within their respective offices reviews of PII scan\n           results. These IT coordinators also facilitate IT service requests on behalf\n           of staff in their respective program offices. In addition, NRC\xe2\x80\x99s Computer\n           Security Office (CSO) plays a primary role in detecting, analyzing and\n           responding to information security breaches, as well as developing and\n           implementing NRC\xe2\x80\x99s IT security policies.\n\n\nII.    PURPOSE\n\n           The audit objective was to assess whether NRC effectively protects\n           electronic documents containing PII and other types of SUNSI on NRC\xe2\x80\x99s\n           shared network drives. This audit did not address protection of\n           documents containing classified and Safeguards information. The report\n           appendix contains information on the audit scope and methodology.\n\n\nIII.   FINDING\n\n           NRC Can Improve Training, Communication, Coordination, and\n           Quality Assurance Controls to Ensure Security of SUNSI on Network\n           Drives\n\n           NRC has policies for protecting electronic documents containing SUNSI\n           that are processed on agency shared network drives. Nevertheless, NRC\n           can improve training, communication, coordination, and quality assurance\n           controls to ensure that access to these documents is limited to a need-to-\n           know basis. NRC guidance requires that access to documents containing\n           SUNSI be controlled on a need-to-know basis. NRC has procedures to\n           control documents containing SUNSI that are stored on its computer\n           network. Nevertheless, auditors found documents containing specific\n           types of SUNSI, such as PII and allegations material, on shared network\n           drives without appropriate protections. The problems occurred for four\n           main reasons.\n\n              1. NRC has not provided adequate training on specific practices for\n                 protecting documents containing SUNSI that are processed on\n                 shared network drives.\n\n\n\n\n                                         4\n\x0c                                                                            Audit of NRC\xe2\x80\x99s Shared \xe2\x80\x95S\xe2\x80\x96 Drive\n\n\n\n                      2. NRC has not adequately communicated to its staff specific\n                         guidance for protecting documents containing SUNSI that are\n                         processed on network shared drives.\n\n                      3. There are a range of skills among IT coordinators, but NRC does\n                         not provide them with role-based training regarding NRC network\n                         and information security policies. This constrains IT coordinators\n                         from being able to provide guidance consistently on how to protect\n                         SUNSI stored on NRC\xe2\x80\x99s shared network drives and ensure\n                         compliance with NRC policy.\n\n                      4. Recent technology upgrades resulted in a temporary loss of access\n                         controls over information on the \xe2\x80\x95S\xe2\x80\x96 drive.\n\n                  Although auditors found no evidence that SUNSI identified on shared\n                  network drives had been compromised, these issues require management\n                  attention so that NRC can better manage risks to the confidentiality,\n                  integrity, and reliability of SUNSI processed on the agency\xe2\x80\x99s shared\n                  network drives.\n\n                  SUNSI Should Be Accessible Only on a \xe2\x80\x95Need-to-Know\xe2\x80\x96 Basis\n\n                  NRC Management Directives18 and other internal guidance19 state that\n                  NRC staff who have a need to know sensitive information to perform their\n                  official duties may have access to that information; otherwise, access\n                  should be restricted. NRC provides instructions on how to implement\n                  access controls on all categories of SUNSI within ADAMS.20 For example,\n                  \xe2\x80\x95allegation information\xe2\x80\x96 may not be processed in ADAMS, while \xe2\x80\x95security-\n                  related information\xe2\x80\x96 may be processed in ADAMS but must have assigned\n                  access rights to user groups with a need to access the information to\n                  perform their official duties. This guidance also describes how to transmit\n                  SUNSI, including PII, within and outside NRC.\n\n\n\n18\n  Management Directive 12.5, NRC Automated Information Security Program, and Management\nDirective 12.6, NRC Sensitive Unclassified Information Security Program.\n19\n     NRC posts information about SUNSI policies and procedures on the agency\xe2\x80\x99s intranet.\n20\n  ADAMS has a publicly available version, as well as a non-public version restricted to employees with\nnetwork access.\n\n\n                                                     5\n\x0c                                                                            Audit of NRC\xe2\x80\x99s Shared \xe2\x80\x95S\xe2\x80\x96 Drive\n\n\n\n                  Auditors Found Instances of SUNSI, Including PII, on Shared Network\n                  Drives\n\n                  Office of the Inspector General (OIG) auditors systematically reviewed\n                  documentation stored on the agency\xe2\x80\x99s \xe2\x80\x95S\xe2\x80\x96 drive and found documents\n                  containing all categories of SUNSI, including PII. Examples of PII found\n                  include the personal information of past and current NRC commissioners,\n                  including home addresses, home telephone numbers, passport\n                  information, and credit card information.21 PII was found despite NRC\xe2\x80\x99s\n                  efforts to locate all PII in its annual automated scans as recommended by\n                  the OIG in 2006.22 Table 1 shows examples of SUNSI that auditors found\n                  in their review of \xe2\x80\x95S\xe2\x80\x96 drive documentation.\n\n\n\n\n21\n  Some of the PII that auditors found was embedded in portable document format files, or \xe2\x80\x95PDF files,\xe2\x80\x96\nwhich can contain images. NRC\xe2\x80\x99s annual PII scan of shared network drives did not detect these files.\n22\n     OIG-06-A14, Evaluation of Personal Privacy Information Found on NRC Network Drives.\n\n                                                   6\n\x0c                                                                           Audit of NRC\xe2\x80\x99s Shared \xe2\x80\x95S\xe2\x80\x96 Drive\n\n\n\nTable 1: Examples of SUNSI Including PII Detected on \xe2\x80\x9cS\xe2\x80\x9d Drive\n\nInformation Category             Sub-Definition                   Example(s) Found on \xe2\x80\x9cS\xe2\x80\x9d Drive\nPersonally Identifiable          All information that can be      A Commissioner\xe2\x80\x99s and employees'\nInformation                      used to distinguish or trace     home addresses, home phone\n                                 an individual\xe2\x80\x99s identity.        numbers, passport images, and credit\n                                                                  card images; an employee\xe2\x80\x99s personal\n                                                                  bank account information; and\n                                                                  personnel action documents.\nAllegation Information           Confidential or sensitive        Allegation intake forms with names of\n                                 allegation information.          accused individuals, accusations\n                                                                  against the individuals, and a notice of\n                                                                  violation issued as a result of an\n                                                                  allegation.\nSecurity-Related Information     10 CFR 2.390 Information,        Multiple files and folders filled with\n                                 information that could be        information categorized as \xe2\x80\x95Security-\n                                 useful to a terrorist attack,    Related Information,\xe2\x80\x96 including\n                                 sensitive Homeland Security      requests for information and letters,\n                                 information, licensee            information on security of fuel cycle\n                                 submitted critical energy        facilities, and cybersecurity program\n                                 infrastructure or                information for nuclear facilities.\n                                 Transportation Security\n                                 Administration information.\nSensitive Internal Information   Attorney client privilege,       More than 50 folders containing legal\n                                 attorney work product, pre-      advice and including names and\n                                 decisional information,          details of advice sought.\n                                 information submitted to the\n                                 Commission marked\n                                 \xe2\x80\x95Sensitive,\xe2\x80\x96 and others.\nInvestigation Information        Any Office of Investigations     Report of an Office of Investigations\n                                 or Office of the Inspector       case.\n                                 General investigation related\n                                 documents.\nFederal-, State-, Foreign        Information not to be            Foreign travel trip reports, SBU\nGovernment, and International    released to foreign nationals,   letters.\nAgency Controlled Information    Official Use Only Department\n                                 of Energy information, Naval\n                                 Nuclear Propulsion\n                                 Information, Sensitive but\n                                 Unclassified (SBU) from\n                                 Department of State, and\n                                 others.\nProprietary Information          Trade Secrets, confidential      Multiple IT system management\n                                 commercial or financial          documents, including test plans and\n                                 information, Institute of        other proprietary data.\n                                 Nuclear Power Operations,\n                                 Source Evaluation\n                                 Proprietary Data.\n\n                                                  7\n\x0c                                                                                  Audit of NRC\xe2\x80\x99s Shared \xe2\x80\x95S\xe2\x80\x96 Drive\n\n\n\n                   Additionally, during the course of this audit, access control profiles for\n                   allegations folders on a regional office shared network drive changed\n                   temporarily to a general default setting.23 This error occurred during a\n                   network upgrade and, temporarily, made the allegations folders accessible\n                   to any employees with regional office network access, regardless of their\n                   need to know this information. Upon detecting this error, NRC staff\n                   referred the error to OIS and CSO, and the original access permissions\xe2\x80\x94\n                   which limited folder access to three NRC employees\xe2\x80\x94were restored.\n\n                   Training, Communication, Coordination, and Technological Factors\n                   Contributed to Improper Handling of SUNSI on NRC Networks\n\n                   The discovery of SUNSI on shared network drives and the release of\n                   allegations data in a regional office occurred for four main reasons:\n\n                      1. NRC has not provided adequate training to NRC staff on specific\n                         practices for protecting documents containing SUNSI that are\n                         processed on shared network drives. Although IT coordinators\n                         stated that NRC users receive annual training, the annual online\n                         training classes offered by the NRC address broader computer and\n                         information security issues. For example, the annual Information\n                         Security Awareness course focuses largely on protection of\n                         classified24 and Safeguards information, and does not address\n                         protection of SUNSI stored electronically on agency shared network\n                         drives. NRC\xe2\x80\x99s annual Computer Security Awareness course\n                         addresses PII protections, but not NRC-specific policies and\n                         procedures for protecting SUNSI.25 Additionally, existing PII training\n                         does not include knowledge checks, such as multiple choice\n                         questions, and briefly mentions in a single bullet point that staff\n                         should not store PII on the agency\xe2\x80\x99s shared network drives.\n\n\n\n\n23\n     The correct access control profiles limited folder access to just three NRC regional office staff.\n24\n  Classified information is information that could cause damage to national security as a result of\nunauthorized disclosure.\n25\n   This training advises staff to store \xe2\x80\x95sensitive information, including PII\xe2\x80\x96 only on \xe2\x80\x95an authorized\ninformation system.\xe2\x80\x96 It also advises staff never to transmit, store or process this information on a \xe2\x80\x95non-\nsenstive system.\xe2\x80\x96\n\n\n                                                         8\n\x0c                                                                        Audit of NRC\xe2\x80\x99s Shared \xe2\x80\x95S\xe2\x80\x96 Drive\n\n\n\n\n                      2. NRC has not adequately communicated to its staff specific guidance\n                         for protecting documents containing SUNSI that are processed on\n                         shared network drives. NRC has issued network announcements\n                         regarding SUNSI and PII-specific policies. However, these e-mail\n                         announcements\xe2\x80\x94if opened and read by NRC staff\xe2\x80\x94often require\n                         staff to follow Intranet links to more detailed discussion of agency\n                         policy. In addition, network announcements with detailed\n                         instructions for staff are not always timed closely with network\n                         changes that could impact SUNSI protection. For example, in\n                         December 2010, NRC sent an announcement about changes to\n                         network shared drives,26 which advised staff to \xe2\x80\x95be prudent\xe2\x80\x96 about\n                         information saved on these drives. In May 2011\xe2\x80\x94five months\n                         later\xe2\x80\x94NRC sent a more detailed announcement about protecting PII\n                         on shared network drives through access control settings.\n\n                      3. Varying skill levels and the limited scope of IT coordinators\xe2\x80\x99 duties\n                         constrain their ability to educate staff about policies for handling\n                         SUNSI and ensure staff compliance. In one quarter of the 28 IT\n                         coordinator interviews, 27 IT coordinators were uncertain whether\n                         NRC staff used the agencywide shared \xe2\x80\x95S\xe2\x80\x96 drive, and whether it was\n                         needed to perform business, thus suggesting a lack of knowledge\n                         on where their office\xe2\x80\x99s data is processed, stored, or shared.\n                         Additionally, IT coordinators\xe2\x80\x99 formal roles and responsibilities are\n                         limited to facilitating IT service requests on behalf of staff. However,\n                         auditors found that IT coordinators interact with their customers on\n                         network and information security issues\xe2\x80\x94most notably, through their\n                         work on annual PII scans\xe2\x80\x94but do not receive role-based training\n                         that reflects this work.\n\n                      4. In December of 2010, a network upgrade temporarily removed\n                         access control profiles on a limited number of allegations files. NRC\n                         staff who use the files reported this error, and corrective action was\n                         taken. Although this was an isolated incident, NRC staff\n                         acknowledged a need for quality assurance checks after contractors\n                         perform network upgrades to ensure access controls are\n                         maintained.\n26\n     The \xe2\x80\x95R\xe2\x80\x96 and \xe2\x80\x95S\xe2\x80\x96 drives, specifically.\n27\n  NRC has IT coordinators who support 31 offices including the regions. Some provide agencywide\nsupport. Each office may have one or up to nine IT coordinators.\n\n                                                  9\n\x0c                                                             Audit of NRC\xe2\x80\x99s Shared \xe2\x80\x95S\xe2\x80\x96 Drive\n\n\n\n\n         Management Attention Is Needed To Control Risk of Disclosure,\n         Modification, or Deletion of SUNSI\n\n         Despite instances of problems with controls over SUNSI stored on NRC\n         shared network drives uncovered by the OIG, auditors found no evidence\n         suggesting that this information had been compromised. Nevertheless,\n         without proper training, policy communication, IT coordinator support, and\n         quality assurance controls, SUNSI on the shared network drives may be at\n         greater risk of unintentional or intentional disclosure, modification, and/or\n         deletion. This, in turn, could compromise the confidentiality, integrity, and\n         reliability of SUNSI that NRC needs to perform its mission and protect the\n         privacy of agency staff and public stakeholders. Management attention is\n         needed to improve security of SUNSI stored on NRC\xe2\x80\x99s networks, and\n         reduce the risk of information security breaches that could compromise\n         agency operations and the privacy of its personnel.\n\n\nIV.   RECOMMENDATIONS\n\n         OIG recommends that the Executive Director for Operations:\n\n            1. Revise current PII training to include practical scenarios and\n               knowledge checks that address processing PII on shared network\n               drives.\n\n             2. Revise current information security training for NRC staff to address\n                specific practices for protecting SUNSI on the agency\xe2\x80\x99s shared\n                network drives.\n\n             3. Develop CUI policies and guidance for storing and protecting CUI in\n                agency shared drives, and:\n                      a. post this guidance on the NRC intranet; and\n                      b. include this guidance in annual training.\n\n             4. Provide IT coordinators with role-based training focusing on NRC\n                information and network security policies, and means for ensuring\n                staff compliance with these policies.\n\n             5. Implement procedures for quality assurance checks following\n                network upgrades to ensure that access controls are preserved in\n\n                                       10\n\x0c                                                          Audit of NRC\xe2\x80\x99s Shared \xe2\x80\x95S\xe2\x80\x96 Drive\n\n\n\n              shared network drives that process documents containing\n              SUNSI/CUI.\n\n\n\nV.   AGENCY COMMENTS\n\n        At an exit conference on June 30, 2011, agency management provided\n        informal comments on a draft of this report. The Office of the Inspector\n        General incorporated some of these comments as appropriate. As a\n        result, the agency opted not to provide formal comments for inclusion in\n        this report.\n\n\n\n\n                                     11\n\x0c                                                          Audit of NRC\xe2\x80\x99s Shared \xe2\x80\x95S\xe2\x80\x96 Drive\n\n\n\n                                                                              Appendix\nSCOPE AND METHODOLOGY\n\n       The audit objective was to assess whether NRC effectively protects\n       electronic documents containing PII and other types of SUNSI on NRC\xe2\x80\x99s\n       shared network drives. To address the audit objective, OIG auditors\n       conducted multiple interviews of NRC staff representing OIS and CSO.\n       Auditors also conducted 28 interviews with IT coordinators representing\n       most NRC program and regional offices. At the time of our analysis, OIS\n       listed 92 IT coordinators representing 31 headquarters and regional\n       offices. OIG auditors also systematically examined files on the agency\xe2\x80\x99s\n       \xe2\x80\x95S\xe2\x80\x96 drive to determine whether SUNSI, including PII, was saved\n       inappropriately.\n\n       OIG auditors reviewed pertinent NRC and Federal Government guidance,\n       including:\n              NRC SUNSI Handling Requirements.\n              MD 12.6, NRC Sensitive Unclassified Information Security\n              Information Program.\n              MD 12.5, NRC Automated Information Security Program.\n              NIST Special Publication 800-53.\n              NIST Special Publication 800-60.\n\n       OIG auditors also reviewed the content of the three required information\n       security annual training online classes \xe2\x80\x93 Computer Security Awareness ,\n       Personally Identifiable Information, and Information Security Awareness \xe2\x80\x93\n       for content on SUNSI handling.\n\n       OIG conducted this performance audit, from January 2011 through May\n       2011, at NRC headquarters in Rockville, Maryland, in accordance with\n       generally accepted Government auditing standards. Those standards\n       require the audit to be planned and performed with the objective of\n       obtaining sufficient, appropriate evidence to provide a reasonable basis for\n       any findings and conclusions based on the stated audit objective. OIG\n       believes that the evidence obtained provides a reasonable basis for the\n       report findings and conclusions based on the audit objective. OIG\n       reviewed and analyzed internal controls related to the audit objective.\n       Throughout the audit, auditors were aware of the possibility of fraud,\n       waste, or misuse in the program. The audit was conducted by Beth\n\n\n                                    12\n\x0c                                              Audit of NRC\xe2\x80\x99s Shared \xe2\x80\x95S\xe2\x80\x96 Drive\n\n\n\nSerepca, Team Leader; Paul Rades, Audit Manager; Melissa\nSchermerhorn, Senior Analyst; and Gail Butler, Analyst.\n\n\n\n\n                          13\n\x0c"